Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
221 changes: 221 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
# Git
.git
.gitignore
.gitattributes
.hg/
.svn/

# Build artifacts
*.o
*.lto
*.a
*.so
*.so.*
*.dylib
*.dSYM
*.exe
*.dll
*.pyd
*.wasm
*.gc??
*.prebolt
*.fdata
*.dyn

# Python cache
__pycache__/
*.py[cod]
*$py.class
*.pyc
*.pyo

# Profiling data
*.profraw
*.profclang?
*.profdata
default.profraw
gmon.out

# Testing artifacts
.pytest_cache/
.ruff_cache/
.mypy_cache/
.coverage
htmlcov/
*.cover
.hypothesis/

# IDE and editors
.vscode/
.idea/
.vs/
.cache/
*.swp
*.swo
*~
*.iml
tags
TAGS

# macOS
.DS_Store
.AppleDouble
.LSOverride

# Documentation
Doc/build/
Doc/_build/
Doc/venv/
Doc/.venv/
Doc/env/
Doc/.env/

# Virtual environments
venv/
env/
ENV/

# Temporary and backup files
*.tmp
*.bak
*.log
*.orig
*.rej
tmp/
temp/
.gdb_history
.purify
core

# Root-level build artifacts
/_bootstrap_python
/Makefile
/Makefile.pre
/build/
/builddir/
/config.cache
/config.log
/config.status
/config.status.lineno
/.ccache
/cross-build/
/jit_stencils*.h
/platform
/profile-clean-stamp
/profile-run-stamp
/profile-bolt-stamp
/profile-gen-stamp
/pybuilddir.txt
/pyconfig.h
/python-config
/python-config.py
/python.bat
/python-gdb.py
/python.exe-gdb.py
/reflog.txt
/coverage/
/externals/
/htmlcov/
/python
python.exe.lto/
*.framework/

# iOS and Apple
/iOSTestbed.*
Apple/iOS/Frameworks/
Apple/iOS/Resources/Info.plist
Apple/testbed/build
Apple/testbed/Python.xcframework/*/bin
Apple/testbed/Python.xcframework/*/include
Apple/testbed/Python.xcframework/*/lib
Apple/testbed/Python.xcframework/*/Python.framework
Apple/testbed/*Testbed.xcodeproj/project.xcworkspace
Apple/testbed/*Testbed.xcodeproj/xcuserdata

# Mac
Mac/Makefile
Mac/PythonLauncher/Info.plist
Mac/PythonLauncher/Makefile
Mac/PythonLauncher/Python Launcher
Mac/PythonLauncher/Python Launcher.app/*
Mac/Resources/app/Info.plist
Mac/Resources/framework/Info.plist
Mac/pythonw

# Modules
Modules/Setup.bootstrap
Modules/Setup.config
Modules/Setup.local
Modules/Setup.stdlib
Modules/config.c
Modules/ld_so_aix
Modules/python.exp

# Programs
Programs/_freeze_module
Programs/_testembed

# PC (Windows)
PC/python_nt*.h
PC/pythonnt_rc*.h
PC/*/*.exp
PC/*/*.lib
PC/*/*.bsc
PC/*/*.dll
PC/*/*.pdb
PC/*/*.user
PC/*/*.ncb
PC/*/*.suo
PC/*/Win32-temp-*
PC/*/x64-temp-*
PC/*/amd64

# PCbuild (Windows build)
PCbuild/*.user
PCbuild/*.suo
PCbuild/*.*sdf
PCbuild/*-pgi
PCbuild/*-pgo
PCbuild/*.VC.db
PCbuild/*.VC.opendb
PCbuild/amd64/
PCbuild/arm32/
PCbuild/arm64/
PCbuild/obj/
PCbuild/win32/

# Tools
Tools/unicode/data/
Tools/msi/obj
Tools/ssl/amd64
Tools/ssl/win32
Tools/freeze/test/outdir

# Misc
Misc/python.pc
Misc/python-embed.pc
Misc/python-config.sh

# Include
Include/pydtrace_probes.h

# Lib
Lib/site-packages/*
!Lib/site-packages/README.txt
Lib/test/data/*
!Lib/test/data/README

# Python frozen modules
Python/frozen_modules/*.h
Python/frozen_modules/MANIFEST

# Claude config
/.claude/
CLAUDE.local.md

# Docker files (avoid recursive inclusion)
.dockerignore
Dockerfile

# Local development
foo.py
120 changes: 120 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
FROM debian:trixie-slim

ENV PATH=/usr/local/bin:$PATH
ENV PYTHONDONTWRITEBYTECODE=1

RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
ca-certificates \
netbase \
tzdata \
; \
apt-get dist-clean

COPY . /usr/src/python

RUN set -eux; \
\
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
apt-get install -y --no-install-recommends \
dpkg-dev \
gcc \
gnupg \
libbluetooth-dev \
libbz2-dev \
libc6-dev \
libdb-dev \
libffi-dev \
libgdbm-dev \
liblzma-dev \
libncursesw5-dev \
libreadline-dev \
libsqlite3-dev \
libssl-dev \
libzstd-dev \
make \
tk-dev \
uuid-dev \
wget \
xz-utils \
zlib1g-dev \
; \
\
cd /usr/src/python; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
./configure \
--build="$gnuArch" \
--enable-loadable-sqlite-extensions \
--enable-optimizations \
--enable-option-checking=fatal \
--enable-shared \
$(test "${gnuArch%%-*}" != 'riscv64' && echo '--with-lto') \
--with-ensurepip \
; \
nproc="$(nproc)"; \
EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"; \
LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; \
LDFLAGS="${LDFLAGS:--Wl},--strip-all"; \
arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
case "$arch" in \
amd64|arm64) \
EXTRA_CFLAGS="${EXTRA_CFLAGS:-} -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"; \
;; \
i386) \
;; \
*) \
EXTRA_CFLAGS="${EXTRA_CFLAGS:-} -fno-omit-frame-pointer"; \
;; \
esac; \
make -j "$nproc" \
"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \
"LDFLAGS=${LDFLAGS:-}" \
; \
rm python; \
make -j "$nproc" \
"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \
"LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" \
python \
; \
make install; \
\
cd /; \
rm -rf /usr/src/python; \
\
find /usr/local -depth \
\( \
\( -type d -a \( -name test -o -name tests -o -name idle_test \) \) \
-o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \
\) -exec rm -rf '{}' + \
; \
\
ldconfig; \
\
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark; \
find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
| sort -u \
| xargs -rt dpkg-query --search \
| awk 'sub(":$", "", $1) { print $1 }' \
| sort -u \
| xargs -r apt-mark manual \
; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
apt-get dist-clean; \
\
export PYTHONDONTWRITEBYTECODE=1; \
python3 --version; \
pip3 --version

RUN set -eux; \
for src in idle3 pip3 pydoc3 python3 python3-config; do \
dst="$(echo "$src" | tr -d 3)"; \
[ -s "/usr/local/bin/$src" ]; \
[ ! -e "/usr/local/bin/$dst" ]; \
ln -svT "$src" "/usr/local/bin/$dst"; \
done

CMD ["python3"]
8 changes: 8 additions & 0 deletions Include/internal/pycore_context.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ struct _pycontextobject {
PyHamtObject *ctx_vars;
PyObject *ctx_weakreflist;
int ctx_entered;
struct {
unsigned int deserialization_taint_counter;
} security_ctx;
};


Expand Down Expand Up @@ -55,5 +58,10 @@ struct _pycontexttokenobject {
// Export for '_testcapi' shared extension
PyAPI_FUNC(PyObject*) _PyContext_NewHamtForTests(void);

// Deserialization guard API
PyAPI_FUNC(int) _PyContext_IncrementDeserializationTaint(void);
PyAPI_FUNC(int) _PyContext_DecrementDeserializationTaint(void);
PyAPI_FUNC(int) _PyContext_IsDeserializationTainted(void);


#endif /* !Py_INTERNAL_CONTEXT_H */
Loading